- Cyber Security Authority Warns of FortiBleed Attacks on Firewalls and VPN Gateways
Ghana’s Cyber Security Authority has issued a technical advisory warning organisations about an active cybercrime campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways through credential harvesting and password-spraying attacks.
The campaign, known as “FortiBleed”, is aimed at internet-facing Fortinet devices and does not depend on a newly discovered software vulnerability. Instead, the attackers are exploiting weak credential practices, including reused passwords, weak passwords and the absence of multi-factor authentication.
The warning, issued on June 19, 2026, under reference CERT/TA/2026-06/01, urges organisations to take immediate steps to protect administrative and VPN access points from compromise.
According to the CSA, threat actors are conducting automated scanning of exposed Fortinet devices and testing them against large datasets of previously leaked credentials.
Where valid credentials are found, attackers catalogue and reuse them to gain access to systems at scale across multiple sectors.
The authority warned that once access is obtained, compromised devices could be used to monitor network traffic, capture authentication data and establish persistent access within affected systems.
This could allow attackers to move laterally across internal networks, escalate privileges and compromise other systems, including Active Directory environments.
The advisory highlights a major weakness in many organisations’ cyber defence posture: attackers do not always need sophisticated new vulnerabilities to breach systems. In many cases, reused credentials, poor password hygiene and exposed administrative interfaces are enough to create serious risk.
The CSA said organisations may face increased exposure if administrative or VPN interfaces are publicly accessible, if passwords are reused, weak or not regularly rotated, if multi-factor authentication is not enforced for remote or administrative access, or if administrative access is not restricted to trusted IP sources.
These risk indicators are especially important because firewalls and VPN gateways are often trusted points of access into corporate networks.
When such devices are compromised, attackers may gain a privileged foothold from which they can observe traffic, harvest further credentials and move deeper into an organisation’s digital environment.
The authority advised organisations to review logs and investigate suspicious indicators of compromise.
These include login activity from unusual locations or times, repeated failed login attempts followed by successful access, unknown or unauthorised administrator accounts, unexpected configuration changes on firewalls, irregular VPN usage including concurrent or anomalous sessions, and network connections to suspicious or unfamiliar IP addresses.
The CSA warned that the presence of these indicators may suggest attempted or successful compromise and should trigger immediate response actions.
The advisory recommends that organisations perform an initial exposure check using the tool provided at https://socradar.io/free-tools/fortibleed.
However, the authority’s main message is that exposure checks must be accompanied by stronger internal controls.
As immediate measures, organisations have been urged to rotate all administrative and VPN credentials, enforce multi-factor authentication and ensure the use of strong, unique passwords.
The CSA also recommends restricting access to administrative interfaces to trusted IP addresses or internal networks.
This is a critical safeguard because internet-exposed administrative interfaces significantly increase the attack surface available to threat actors.
The authority further advised organisations to disable unnecessary services, including unsecured management interfaces, to reduce exposure.
It also called for continuous monitoring of firewall, VPN and authentication logs to support investigation and incident response.
Network segmentation and least-privilege access controls were also recommended to limit lateral movement in the event of a breach.
These measures ensure that even when one system is compromised, attackers cannot easily move across the entire network.
The CSA further urged organisations to update all Fortinet devices with the latest firmware and configurations in line with vendor recommendations.
Although the advisory noted that the FortiBleed campaign does not rely on a newly discovered vulnerability, keeping firmware updated remains an essential part of reducing cyber risk.
The warning comes at a time when organisations across the world are facing increasing attacks on remote access systems, VPN gateways, firewalls and identity infrastructure.
These systems became even more critical as businesses expanded remote work, cloud services and hybrid operations.
For Ghanaian organisations, the CSA advisory should be treated as an urgent operational warning, not a routine technical notice.
Banks, telecoms companies, government agencies, logistics firms, universities, hospitals and private businesses all depend on secure network access.
A successful compromise of firewall or VPN infrastructure could expose sensitive data, disrupt services and create wider reputational and financial damage.
The advisory also reinforces the importance of basic cyber hygiene.
Multi-factor authentication, strong passwords, regular credential rotation, access restrictions and log monitoring may sound routine, but they remain among the most effective defences against credential-based attacks.
The FortiBleed campaign shows how weak identity controls can become a gateway to larger network compromise.
The CSA said it maintains a 24-hour Cybersecurity/Cybercrime Incident Reporting Point of Contact for assistance related to the advisory.
Organisations can call or text 292, contact the CSA via WhatsApp on 0501603111, or email report@csa.gov.gh.
The message from the authority is clear: organisations using Fortinet firewalls and VPN gateways must act immediately.
The attackers are not waiting for new vulnerabilities. They are exploiting old weaknesses in password management, exposed interfaces and poor access control.
For businesses and public institutions, the cost of delay could be significant.
The safest response is to assume exposure is possible, verify systems, rotate credentials, enforce multi-factor authentication and strengthen monitoring before attackers gain a foothold.
